f7aa210664a8741f43a40429bc76bc229fcd537f18d11480b9c6211c2315331c

Analysis

max time kernel
150s
max time network
161s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_56ebbc80457d406eeffc00b330b1cdf2_cryptolocker.exe
Size

30KB
MD5

56ebbc80457d406eeffc00b330b1cdf2
SHA1

65769284738de3d0c4480420b1ad8482a4620cd2
SHA256

f7aa210664a8741f43a40429bc76bc229fcd537f18d11480b9c6211c2315331c
SHA512

f24f06d4764979d4f2c145391d779c0cb415270800f64a2172f266a3e66ae7f938c4a02c2c097838628ef7e32e7d4ebbad2cc292c57c55a29e4fe35d36991b4c
SSDEEP

384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUgIunexRl/:bA74zYcgT/Ekd0ryfjPIunYd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2392	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
1288	2024-01-09_56ebbc80457d406eeffc00b330b1cdf2_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2392	1288	2024-01-09_56ebbc80457d406eeffc00b330b1cdf2_cryptolocker.exe	28
PID 1288 wrote to memory of 2392	1288	2024-01-09_56ebbc80457d406eeffc00b330b1cdf2_cryptolocker.exe	28
PID 1288 wrote to memory of 2392	1288	2024-01-09_56ebbc80457d406eeffc00b330b1cdf2_cryptolocker.exe	28
PID 1288 wrote to memory of 2392	1288	2024-01-09_56ebbc80457d406eeffc00b330b1cdf2_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-09_56ebbc80457d406eeffc00b330b1cdf2_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_56ebbc80457d406eeffc00b330b1cdf2_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
30KB

MD5
0a53352d3ff7667b7653d8d4b9fe42d8

SHA1
f204795270078953f96b5d2d992b3719d67179ec

SHA256
cadb4bf0c62c2192f7137090acbf520ddff8bbee1ff219577a160e913fddd6b9

SHA512
1fa8c1cc0ff2ed80ef99b8a59c39dcba27c97799b4dc2107002066d37ddb005e28dcc60b9f2779d67a13aa5695643eeaa84a8366190ac04e4dffe5cdbbb897b8

Download Submit
memory/1288-2-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/1288-1-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/1288-0-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2392-16-0x0000000001CE0000-0x0000000001CE6000-memory.dmp

Filesize
24KB

Download
memory/2392-15-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download